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1 Executive Summary 


1.1 Background 

As part of our 2015-16 Internal Audit Plan, we agreed to deliver a review 
of the ICO’s staff performance management arrangements to confirm that 
the ICO has a robust staff performance management process that supports 
the achievement of organisational and departmental objectives. 


Following feedback from staff and managers during employee workshops, 
the ICO developed and implemented a revised Personal Development 
Record (PDR) structure in September/October 2014 to make the process 
easier to administer, forward looking and fairer for all. Line managers are 
responsible for assessing individual staff performance through in-year 
reviews, annual appraisal reviews and informal monitoring (i.e. through 
day-to-day interaction, communication and feedback), basing discussions 
around three main areas: 


e "How am I doing”; 
e "What can we do to improve"; and 
e "What more can I do to develop". 


The aim of the process is to promptly identify those individuals who are 
“not performing” to the expected standards and to acknowledge those 
who are “performing to expectations”. The process should also identify 
appropriate development plans to address poor performance as well as to 
challenge and stretch individuals to motivate and drive strong 
performance. 
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The ICO has a Performance Management policy in place to support the 
PDR process. The policy requires the assessment of all staff, the recording 
of their development needs and the management of individuals identified 
as poor performers, either due to capability or disciplinary factors through 
a comprehensive performance monitoring review. 


1.2 Scope 
Our review focussed on the following risk areas: 


e The framework for performance management may not be established, 
clearly communicated and/or fully embedded across the ICO; 

e Managers may not receive support and guidance in implementing the 
ICO's performance management framework; 

e Individual’s objectives may not support their development nor align 
with the ICO’s strategic objectives; 

e Managers may not regularly engage with their staff to discuss 
performance and the steps needed to address improvement areas, with 
indicators of poor performance may not be promptly identified and 
addressed; 

e Effective data on staff performance may not be produced or utilised.. 


Further details on responsibilities, approach and scope are included in 
Appendix A. 
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1.3 Overall assessment 
We have made an overall assessment of our findings as: 


Overall assessment 


Following agreement of the nature and significance of individual issues 
with management, in our view this report contains matters which require 
the attention of management to resolve and report on progress in line 
with current follow up processes. 


Please refer to Appendix B for further information regarding our overall 


assessment and audit finding ratings. 


1.4 Key findings 


Risk / Process 


Performance management framework = = 1 = 


Support and guidance for managers - 2 = = 


Alignment between individual and { 
corporate objectives 


Identifying and managing 
performance 


Reporting of performance data - 1 - 7 


Total - 3 2 - 


The following findings are assessed as Medium: 


e With the move to a “two box” assessment structure and the current 
lack of an agreed reward and recognition process, we noted that the 
role of managers in coaching, development and motivation has 
become more significant. Outside of the original PDR training, 
managers have not been provided with appropriate guidance to 


effectively perform this function. In addition to the formal agreement 
of the policy that is designed to recognise excellent performance by the 
Senior Leadership Team, we would expect that a briefing and support 
programme be created to develop management skills within the ICO; 
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Following implementation of the PDR process, Learning and 
Development do not maintain a record of the completion or indicative 
markings of in-year or end of year discussions. Our review of a sample 
of 25 staff records noted that 5 had no formal performance record 
lodged for 2014-15 with no reason for the omission. We would expect 
central control (including periodic reminders to staff and managers of 
their respective responsibilities) over the PDR process to be 
maintained by Organisational Development to provide assurance that 
it continues to operate effectively; 


The Senior Leadership Team currently have no information on the 
effectiveness of the PDR process, issues in relation to PDR 
completion or trends in overall staff performance. We would expect 
PDR activity to be collated and analysed by Organisational 
Development and presented on a regular basis to allow the process to 
be assessed and issues promptly identified allowing appropriate 
mitigation to take place. 


Further details of our findings and recommendations are provided in 
Section 2. 


1.5 Basis of preparation 
We identified the following controls in place during our audit: 


The revised performance development process strategy and guidance 
was presented to and accepted by the Senior Leadership Group in July 
2014; 

The performance development guide is available to all staff on the 
ICO intranet and clearly sets out the performance development 
process and timeline, aims of the process, objective setting, holding 
and recording in-year meetings and assessment and marking; 

Staff objectives and performance are recorded on a single template 
updated following in-year discussions and the end of year formal 
review. The template contains headings for objectives, statements of 
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performance, improvement and development points, an overall 
performance rating and an area for manager sign off; 

e All ICO staff have been trained in the performance development 
process. In addition to the standard training managers are also 
provided with support around objective setting and performance 
measurement. Training is also provided to new starters as part of their 
starter induction; 

e In addition to the detail contained in the performance development 
guidance, managers are provided with handouts that detail and provide 
examples of both effective and ineffective objectives; 

e Although there is not a mandated end of year period, staff and 
managers will complete appraisals between the end of March and end 
of May in the reporting year following the Corporate Plan and 
Business Plan updates. 


1.6 Elsewhere in the sector 

We detail below other ways of working and commonly occurring issues 
that we have experienced during similar types of reviews for other public 
bodies. The following does not necessarily purport to be good practice but 
is included for your information and consideration: 


e Other bodies maintain appraisal records on 'self-service' applications 
ot databases. In-year appraisal meetings and appraisal forms may then 
be recorded or uploaded by staff members, thereby reducing the 
administrative burden on a central area. Appraisal tracking and 
management information may also be produced from these 
applications on request; 

e Other similar organisations will review policies and procedures that 
support performance management (such as managing poor 
performance) on a rolling basis to provide management with assurance 
that all relevant up-to-date legislation has been considered and taken 
into account. 
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1.7 Acknowledgement 
We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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The framework for performance management may not be established, clearly communicated and/or fully embedded 


a| Low Scope and responsibility of the Moderation Panel 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Prior to the implementation of the new PDR process, the 
Moderation Panel, made up from members of the Executive 
Team would meet to consider all staff performance markings 
markings and the marking distribution curve. With the 
change in the PDR process and the introduction of only two 
box markings, the function of the Panel changed to one of 
reviewing only cases of new poor performers (of which there 
were none in 2014-15). 


The new role taken on by the Panel does not fit with the 
‘Managing Poor Performance' process already embedded in 
the ICO and duplicates control already in place. 
Performance improvement processes may be instigated at 
any point during the year (not just at year end) and already 
include a series of formal reviews and Executive meeting 
stage prior to formal performance measures being 
introduced. 


In maintaining a separate function that only meets once a 
year to consider those assessed as 'Not Effective' and is not 
aligned with processes already in place, there is a risk that 
management decision making may not be consistent or 
timely resulting in appropriate action not being taken to 
address poor individual performance. 


Organisational Development should review the 
scope of the Moderation Panel and the 
continued need for it to meet formally at the year 
end. 


Following this review, if ICO management still 
consider the Panel to be a value added forum, 
the Panel name and Terms of Reference should 
be updated to reflect its new role and 
responsibilities. 


The role of the Moderation Panel will be 
reviewed and updated in the next iteration of the 
PDR guidance. Options include scrapping the 
panel, as a Not Effective rating can only be 
awarded following formal performance 
management processes. 


Date Effective: April 2016 (new performance 
year) 


Owner: Mike Collins 
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2.2 Managers may not receive support and guidance in implementing the ICO's performance management framework 


2. 


PDR guidance and management development 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Upon implementation, the PDR process was rolled out to all 
staff together with a short presentation and training session 
that highlighted the benefits of the new system and the 
method by which the in-year or end of year assessments 
should take place. 


As part of our review, we interviewed a sample of ten staff 
members (both team members and line managers). Whilst 
all staff interviewed confirmed that the performance 
management process is much easier to administer, three 
main themes emerged from the discussions: 


° Whilst the process works well for those in the middle of 
the reporting scale (performing effectively with minimal 
or few areas identified for development), it is less 
effective for those who are performing poorly or 
performing excellently. This is because the process 
relies on management experience and input to manage 
those staff in each category; 

. Coupled with the lack of a reward or recognition 
process, as staff can no longer be formally recognised 
via the box marking system as 'above average' the 
PDR process does not provide any motivation to 
deliver exceptional performance; 

° Supporting these views, managers noted that beyond 
the original performance development training 
sessions, they have not received formal guidance from 
Learning and Development in areas such as coaching, 
developing and retention of excellent performers or 
performance improvement. 


In moving to a two box marking system, the need for line 
managers to coach, support, develop and motivate has 


Taking into account the changes in the 
performance appraisal and development 
process, Learning and Development should 
review and develop the guidance and support 
available for both staff and managers to include 
such areas as managing and developing poor 
performance and coaching and development of 
staff and maximising potential. 


To sit alongside the PDR process, Learning and 
Development should also complete the 
development of the informal reward and 
recognition policy and procedure. This policy 
should then be presented to the Senior 
Leadership Team for agreement and release. 


Managing Poor Performance processes to be 
reviewed as part of update of Resolution 
Policies. 


‘A brief guide for recognising great performance” 
has been written and published for managers in 
November 2015. 


Access to coaching and mentoring is available 
to managers via L&D, and is being accessed by 
a number of them. This can be emphasised via 
the manager peer network which has been 
established and is facilitated by L&D. 


Managing Poor Performance training and 
guidance is part of the suite of training available 
for managers. 


Date Effective: Managing Poor Performance 
policy update to be complete by 31.3.16 (other 
actions already completed) 


Owner: Mike Collins 
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2 Medium | PDR guidance and management development 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


increased. There is a risk that, without effective reward and 
development policies or guidance and training in place, the 
opportunity to manage both excellent and poor performance 
is not identified and individuals do not reach their potential. 
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3. | Medium | Maintenance of PDR records and data 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


As part of the ongoing PDR process, performance and 
development should be discussed in face to face meetings 
between the member of staff and their line manager ona 
regular basis. Whilst the frequency of these meetings is 
flexible to account for staff experience and the need for 
support, it is recommended that a minimum of at least three 
meetings a year should take place. At the end of each year, 
a formal meeting should then be held to document the 
individual’s performance compared to their agreed 
objectives, confirm the final box marking and agree areas 
and tools for development. The formal performance 
development record should then be submitted to 
Organisational Development. 


During our interviews with staff members, it was confirmed 
that all had received a formal appraisal at the end of the 
2014-15 reporting year, and during 2015-16 had taken part 
in at least one in-year development and appraisal 
discussion. A review of 25 staff records however noted that 
5 had no end of year performance record submitted and no 
reason for the missing information recorded. In addition 
Learning and Development do not maintain a record of 
either the completion or indicative markings of in-year 
discussions. 


In not maintaining central control over the PDR process, 
there is a risk that on-going performance management does 
not take place consistently across the ICO, managers may 
take actions that is not compliant with published policies and 
associated legislation, and individual performance issues 
and development needs are not promptly identified and 
addressed 


To provide assurance on the effective operation 
of the PDR process, the Learning and 
Development team should maintain central 
control of PDR records. This should include: 


e Registration (date) of in year meetings and 
assessment markings; 

e Registration (date) and formal assessment 
marking at end of year; 

e Agreed completed PDR assessment form. 


To facilitate the process, Learning and 
Development should also send reminders to 
staff and line managers at key points in the 
appraisal process to remind personnel of their 
on-going responsibilities. 


PDR system only requires end of year markings 
to be recorded to reduce administration. 


Minfo (Online HR application) functionality to be 
switched on to allow managers to update PDR 
records, including dates, assessment markings 
and automated reports created for staff and line 
managers. 


Until Minfo functionality is switched on, 
reminders to be provided to managers to ensure 
PDR records are submitted at year end. 


Date Effective: 31.3.16 


Owner: Mike Collins 
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2.3 _Individual’s objectives may not support their development nor align with the ICO’s strategic objectives 


4. Objective setting 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


As part of the PDR guidance, staff and managers have been 
provided with instruction on the development and setting of 
SMART objectives. 


Our review of this guidance documentation found that, whilst 
it provides examples of both 'good' and 'poor' SMART 
objectives, and measuring success, it does not specifically 
note that individual objectives should support the ICO or 
business unit strategy or provide advice on the 
recommended average number of objectives to assign staff. 


Our review of a sample of ten staff member's objectives set 
in 2015-16 identified that whilst the link between the ICO 
strategy and objectives could be broadly determined in all 
the cases examined, their construction was inconsistent 
across ICO business units. Whilst five staff members in our 
sample have clearly set out aims, objectives and measures, 
four others have only objectives or process aims. One 
member of staff selected for testing did not have any 
objectives set for the year. 


In not developing a consistent set of SMART aims and 
objectives across the ICO, or by not providing staff with 
objectives, there is a risk that staff may not be assessed 
effectively resulting in the inability motivate staff, maximise 
their potential or enable appropriate action to be taken to 
address poor individual performance 


At the beginning of each reporting year, 
Business Unit Managers should develop a 
standard SMART set of aims, objectives and 
measures for staff in their Business Units that 
directly support the business unit aims (and 
therefore ultimately the ICO strategy). Prior to 
these being rolled out to staff, these aims and 
objectives should be reviewed by Learning and 
Development to provide assurance that in 
addition to the strategic fit, they are also 
consistent across the department. 


It is impractical to have a single set of SMART 
objectives for the business units to use. It is also 
impractical to require L&D to sign these off 
before roll out. 


Heads of department will be reminded of need 
for their managers to create objectives that 
relate to the business plan and seek support 
from L&D if they assistance with making them 
SMART. 


Date Effective: April 2016 


Owner: Mike Collins 
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5. | Medium | Management information and reporting 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


At the time of our review, a report to the Senior Leadership 
or Executive Teams on the 2014-15 end of year PDR 
process had not yet been completed. Our review of 
information held by Learning and Development found that 
they no longer maintain complete statistics on either the 
percentage completion, staff markings, performance 
improvement or development actions undertaken during the 
year. ICO management cannot therefore be provided with an 
overview of either the effectiveness of the process as a 
development or management tool, or how embedded it is 
into the department. 


In not maintaining this information, there is a risk that trends 
in performance, performance issues and development needs 
across the ICO are not promptly identified resulting in an 
ineffective use of ICO resource or the inability motivate staff 
and maximise their potential . 


As part of the central control of PDR records, 
HR should collate and report management 
information on: 


e Total number of PDRs completed at the end 
of the previous reporting year and their 
associated final mark; 

e Total number of completed PDRs sent to HR 
for retention centrally; 

e Total number of in year reviews completed 
and their associated marking; 

e Total number of informal performance plans 
in operation; 

e Number of staff moving from an informal 'not 
effective’, to 'effective' during the year (and 
vice versa); 

e Total number of staff currently on formal 
performance improvement measures; 

e Overall performance statistics (what 
percentage of staff fall into each 
performance category) together with a 
comparison against expected target 
percentages for each category. 


This information should be presented to the 
Senior Leadership Team on a quarterly basis so 
trends in performance (and assurance over PDR 
completion) can be ascertained. 


As part of the transition to Minfo based PDRs, 
we will ask the database suppliers to create auto 
reports providing this information to heads of 
departments and HR. 


We do not wish to impose forced distribution or 
targets for each performance category. 


Date Effective: April 2016 


Owner: Mike Collins 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of the internal audit plan for 2015-16, we agreed to deliver a review 
of the ICO’s staff performance management arrangements to confirm that 
the ICO has a robust staff performance management process that supports 
the achievement of organisational and departmental objectives. 


We achieved our audit objectives by: 


e Meeting with the individuals responsible for setting, monitoring and 
implementing the performance management process to identify the 
control structure in place; 
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e Seeking evidence to confirm the operation of understood controls, 
including sample testing where appropriate; 

e Meeting with a sample of individuals with responsibility for carrying 
out the performance reviews across the ICO to understand and test 
the processes operated in completing performance reviews; 

e Meeting with a sample of staff to understand their experience of the 
performance review process; and 

e Testing a sample of individual appraisal documents to confirm that the 
required documentation is present and complete. We also considered 
whether goals set are SMART and aligned to the understood structure 
for goals and development aims for the year. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 

The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 
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HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


e The framework for performance management may not be established, 
clearly communicated and/or fully embedded across the ICO, resulting 
in a process that may not support ICO objectives, with staff and 
managers not being fully aware of their responsibilities and the failure 
to deliver performance reviews that enable the effective delivery of 
individual, departmental and organisational goals; 

e Managers may not receive support and guidance in implementing the 
ICO's performance management framework, resulting in staff may not 
be consistently assessed across the ICO against SMART objectives, 
with managers taking actions that may not compliant with published 
policies and associated legislation, and individual performance issues 
and development needs not being promptly identified and addressed; 

e Individual’s objectives may not support their development nor align 
with the ICO’s strategic objectives, resulting in the failure to motivate 
staff to maximise their potential and the inability of the ICO to 
objectively measure performance and enable appropriate action to be 
taken to address poor individual performance. 
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e Managers may not regularly engage with their staff to discuss 
performance and the steps needed to address improvement areas, with 
indicators of poor performance may not be promptly identified and 
addressed before individual performance resulting in a detrimental 
impact on the performance of the ICO and on staff motivation; 

e Effective data on staff performance may not be produced or utilised, 
resulting in performance issues and development needs not being 
promptly identified and actioned and the ongoing poor performance 
of individuals and the ICO. 


Additional information 

Client staff 

The following staff were consulted as part of this review: 

e = Michael Collins — Head of Organisational Development 
e Katy Hulme — HR Manager 

e Frances Adamson — Learning and Development Manager 
e Deborah Toone — Learning and Development 

e Andrew Laing — Head of Performance Improvement 

e Team Leaders and Team Members from across the ICO 


Documents received 

The following documents were received during the course of this audit: 

e Revised PDR process presentation (September 2014); 

e ICO PDR guide (May 2015); 

e SMART Objectives training hand out; 

e SMART Objectives — Good Objectives; 

e SMART Objectives — Poor Objectives; 

e Sample Blank PDR form (2015-16); 

e Probationary period policy and procedure; 

e Managing poor performance policy and procedure; 

e Business unit objectives (Customer Contact, Performance 
Improvement, Organisational Development); 
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e Staff objectives. 


Locations 
We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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B Definition of overall assessment internal audit ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

Impact is contained within the department and compensating 
controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 
control failure) 

Minor control weakness 

Minor non compliance with procedures / standards 
Information for department management 

Control operating but not necessarily in accordance with best 
practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Findings that identify non-compliance with established procedures. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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